Project Status 30 Million LDAP Objects
Experiences after commisioning
Ingo Steuwer
Univention GmbH
Overview
Objective: Modernization of a „Consumer Mail Platform“
Project consortium:
OX: Project owner, Webmail / Groupware
Dovecot: IMAP, MDA
Univention: LDAP /„Provisioning“, Admin Portal
Tarent: „Provisioning Router“
History
Q2 2014: Project start
Q4 2014: Extension: more „business logic“ in provisioning
Q3 2015: first project release with full stack
Q1 2016: Extension: additional services / server roles
Q2 2016: first deployment in production environment
Q3 2016: performance tests
Q4 2016: „going live“ for Univention components
Univention components – provisioning
Project specific SOAP „provisioning“ interface
Objective: Retrieve and Modify Mailbox LDAP objects
Based on standard Univention Directory Manager (UDM)
Core „business logic“ implemented in UDM Extended Attributes and Modules
Project specific framework for SOAP requests and notification of other systems
Customer Tools (IDM, Support etc.)
Provisioning Router
Webmail / Groupware
IMAP / MDA
Legacy systems
Provisioning API LDAP Admin-Portal
Components
Univention components - LDAP
Standard UCS LDAP infrastructure
UCS DC Master & DC Backup
~ 50 LDAP replicas (DC Backup, DC Slave)
Project specific:
Automated failover of DC Master / DC Backup
LDAP ACLs: replication, limited access, administration
DC MasterDC Master DC BackupDC Backup
DC BackupDC Backup DC BackupDC Backup
DC SlaveDC Slave
DC SlaveDC Slave
DC SlaveDC Slave
DC SlaveDC Slave
Numbers – status of project start in 2014
~ 30 million mailboxes
~ 200.000 provisioning-requests / day
~ 10.000 LDAP updates / hour
~ 170 million incomming mails / day
~ 420 million logins / day (IMAP, SMTP, Webmail)
Numbers – first numbers after going live
~ 30 ~ 31 million mailboxes
~ 200.000 > 400.000 provisioning-requests / day
~ 10.000 > 40.000 (peak) LDAP updates / hour
~ 170 million incomming mails / day (No updated numbers)
~ 420 million logins / day (IMAP, SMTP, Webmail) (No updated numbers)
limits & bottlenecks
Provisioning (SOAP) requests:
Max: 70 requests / second
Bottleneck: number of instances, network & storage
Number of LDAP modifications:
Max: 70 changes / second (transactions in Univention Listener/Notifier)
Bottleneck: LDAP ACLs & CPU, LDAP Indices & Storage I/O
LDAP BIND authentication
Max: 300 authentications / second / server
Bottleneck: single thread performance (for OpenLDAP connection scheduler)
Lessons Learned – if you have >100.000 identities...
Design decisions:
IDsall are limited! (uidNumber, gidNumber, SID, ...)
Groups & permissions
UCS default: all users in one group…
UCS@school includes reasonable defaults!
Disk I/O is key (for MDB & Index updates)
LDAP ACLs can kill any performance